The new API created by Google developers, dubbed WebUSB API, was published late last month and isstill unofficial. The API is described as a “way to safely expose USB device services to the Web.” The new API addresses all devices that can be connected to desktop system via USB port, from USB keyboards to IoT (Internet of Things) devices. The API is backward compatible, and is aimed to work with older USB devices.
The developers have also touched upon the security and privacy issues with their new WebUSB API and plan to build a system dubbed CORS or Cross-Origin Resource Sharing. The system “employed by browsers” will prevent page resources (such as fonts, JS scripts) from requesting data from other domains apart from the initiated one.
Grant and Rockot add that an attacker could write a malicious code that can use WebUSB API to access user’s system for all available peripherals and their serial numbers leading any third-party to collect data. The CORS system for the new WebUSB API is aimed to “limit direct access to peripherals.”
The developers have also confirmed that the WebUSB API is backward compatible which will mean that it will support old manufactured USB-capable devices to work without any additional firmware.
“For devices manufactured before this specification is adopted information about allowed origins and landing pages can also be provided out of band by being published in a public registry,” they added. Developers can make suggestions at the WebUSB API GitHub repository.